Vulnerability CVE-2012-4970


Published: 2013-01-01

Description:
Cross-site scripting (XSS) vulnerability in the web management interface on Polycom HDX Video End Points with UC APL software before 2.7.1.1_J, and commercial software before 3.0.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Polycom HDX Video End Points Web Management Cross Site Scripting
Fara Denise Rust...
28.12.2012

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Polycom
Product: Hdx system software 
Version:
3.0.4
3.0.3.1
3.0.3
3.0.2
3.0.1
3.0.0.2
3.0.0.1
3.0.0
2.7.1_j
2.7.0_j
2.6.1.3
2.6.1
2.5.0.7_g
2.5.0.7
2.0.5_j

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
http://knowledgebase-iframe.polycom.com/kb/knowledgebase/End%20User/Tech%20Alerts/Video/15990_fHDX%20XSS%20Vulnerability%20-%20Security%20Bulletin%20101521.pdf
http://archives.neohapsis.com/archives/bugtraq/2012-12/0146.html

Related CVE
CVE-2019-14259
On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same n...
CVE-2019-10689
VVX products using UCS software version 5.9.2 and earlier with Better Together over Ethernet Connector (BToE) application version 3.9.1 and earlier provides insufficient authentication between the BToE application and the BToE component, resulting in...
CVE-2018-15128
An issue was discovered in Polycom Group Series 6.1.6.1 and earlier, HDX 3.1.12 and earlier, and Pano 1.1.1 and earlier. A remote code execution vulnerability exists in the content sharing functionality because of a Buffer Overflow via crafted packet...
CVE-2019-10688
VVX products with software versions including and prior to, UCS 5.9.2 with Better Together over Ethernet Connector (BToE) application 3.9.1, use hard-coded credentials to establish connections between the host application and the device.
CVE-2018-18568
Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allows man-in-the-middle attackers to obtain sensitive credential information by leveraging failure to validate X.509 certificates when used with an on-premise installation with Skype for Busine...
CVE-2018-18566
The SIP service in Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allow remote attackers to obtain sensitive phone configuration information by leveraging use with an on-premise installation with Skype for Business.
CVE-2018-7565
CSRF exists on Polycom QDX 6000 devices.
CVE-2018-7564
Stored XSS exists on Polycom QDX 6000 devices.

Copyright 2019, cxsecurity.com

 

Back to Top